Per https://en.wikipedia.org/wiki/Wikipedia:Security_review_RfC, it seems like the admins mostly all agree to "Length increase to 8 bytes".
Initially, we will not set a minimum password length to login (which prevents logins for accounts with shorter passwords), so users in these groups, if they have a password shorter than 8, will still be logged in, but will be prompted to change their password every time they login.